On Thu, Jul 05, 2018 at 09:47:51AM +0200, Wiktor Kwapisiewicz wrote: > > Does this mean that WKD would always be enabled? > > If so, this potentially leaks from whom email is being received to third > > parties, and I will patch my copy of mutt to remove it. > > It is triggered only when you want to send an e-mail *to* a person > AND explicitly enable encryption AND you don't have their key > locally. Then it queries that person's HTTPS server.
So... This isn't really too different. If the config option somehow got set unintentionally, it still potentially leaks information, even if it is on send rather than on receipt. It's actually worse, because it leaks whom you are actually sending messages to, rather than from whom you're receiving them... Received messages could be spam or other senders you simply don't know. Sending messages is a concious choice, so it reveals something material. People frequently copy mutt configs from the internet without really knowing what everything in them does. It's also possible that a developer, say someone who was experimenting with various options, could inadvertently set the option to yes before doing a checkin, and nobody immediately notices... -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgp3z4BKtwnEK.pgp
Description: PGP signature
